Home / Documentation / Cipher Tools

Cipher Tools

Symmetric and asymmetric encryption calculators for testing payment cryptography. AES, DES/3DES, RSA, ECDSA, and Format-Preserving Encryption (FPE) variants are all supported with hex inputs and detailed audit logs.

Introduction

Cipher tools live under Tools → Cipher in the main navigation. Each calculator is dedicated to a single algorithm family and exposes the inputs typically required for payment-system testing: hex keys, hex data, IV/tweak values, and mode/padding selectors. Every operation is recorded in the activity log with timestamps and round-trip values.

🔒

AES

128 / 192 / 256-bit AES with selectable cipher modes for both encryption and decryption.

🛡️

DES / 3DES

Single, double, and triple DES with ECB / CBC modes and automatic padding.

🔑

RSA

RSA encryption, decryption, signing, and verification with custom modulus and exponents.

📐

ECDSA

Elliptic Curve Digital Signature Algorithm for key generation, signing, and verification.

🔢

FPE

Format-Preserving Encryption (FF1, FF2 / VAES3, FF3, FF3-1, DFF) for tokenization use cases.

🏛️

Thales RSA

Vendor-aware RSA helpers for Thales key blocks and LMK variant operations.

Common UI Patterns

All cipher calculators share the same conventions:

  • Two-pane layout — Inputs on the left, an activity log on the right that records every operation with timestamps and inputs.
  • Data Input Type — Most tools have an ASCII / Hexadecimal drop-down so you can paste data either way; the field label changes based on the selection.
  • Hex keys — Keys are always entered as continuous hexadecimal (no spaces, no 0x prefix). Length is validated live.
  • Encrypt / Decrypt buttons — Pair of explicit buttons rather than an Encrypt/Decrypt toggle.
  • Copy buttons — Each output supports one-click copy to clipboard.
Tip

Use the activity log to compare consecutive runs side-by-side. The log persists until you clear it or close the tool.

AES Calculator

Encrypt or decrypt data with AES, or compute a Key Check Value over a known key.

Inputs

FieldDescription
AES TypeDrop-down: AES-128, AES-192, AES-256.
ModeDrop-down: ECB, CBC, CFB, OFB, KCV.
Data Input TypeDrop-down: ASCII or Hexadecimal. Changes the input field label.
Input DataMulti-line text. The field accepts ASCII or hex per the input type.
Key (Hex)32 / 48 / 64 hex chars matching the chosen AES type.
Initial Vector (IV) (Hex)Only shown for CBC, CFB, OFB. 32 hex chars.

Walk-through

  1. Pick AES TypeAES-128, AES-192, or AES-256.
  2. Pick Mode — Choose a cipher mode, or pick KCV to compute a key check value.
  3. Pick Data Input TypeASCII or Hexadecimal.
  4. Enter Input Data — In KCV mode the input is ignored; otherwise this is the plaintext or ciphertext.
  5. Enter Key (Hex) — A hex key whose length matches the AES type.
  6. Enter IV — If the mode requires one, enter 32 hex chars in the Initial Vector (IV) (Hex) field.
  7. Click Encrypt / Decrypt — Or Calculate KCV when the mode is KCV. The result is appended to the right-hand activity log with a byte count.
KCV Mode

Selecting KCV swaps the Encrypt/Decrypt buttons for a single Calculate KCV button and hides the IV field. The output is the standard 3-byte (6-hex) check value computed over zero plaintext.

Example

AES Type:        AES-128
Mode:            CBC
Data Input Type: Hexadecimal
Key (Hex):       000102030405060708090A0B0C0D0E0F
IV (Hex):        00000000000000000000000000000000
Input Data:      6BC1BEE22E409F96E93D7E117393172A

Output:          7649ABAC8119B246CEE98E9B12E9197D

DES / 3DES Calculator

Single DES or Triple DES with a wide selection of cipher modes and padding schemes commonly used by legacy payment hosts.

Inputs

FieldDescription
AlgorithmDrop-down: DES or 3DES.
ModeDrop-down: ECB, CBC, CFB-8, CFB-64, OFB-8, OFB-64.
PaddingDrop-down: None, Zeros, Spaces, ANSI X9.23, ISO 10126, PKCS#5, PKCS#7, ISO 7816-4, Rijndael, ISO 9797-1 Method 1, ISO 9797-1 Method 2.
Data Input TypeDrop-down: ASCII or Hexadecimal. The input data field label updates accordingly (Input Data (ASCII) / Input Data (Hex)).
Input DataMulti-line text.
Key (Hex)16 hex (DES), 32 hex (2-key 3DES) or 48 hex (3-key 3DES).
Initialization Vector (IV)16 hex chars (8 bytes). Shown for non-ECB modes; a KCV chip displayed alongside.

Walk-through

  1. Pick AlgorithmDES for single DES, 3DES for double or triple length keys.
  2. Pick ModeECB or CBC for the typical case; CFB-8/CFB-64/OFB-8/OFB-64 for streaming variants.
  3. Pick Padding — Pick the scheme expected by your host. ISO 9797-1 Method 1 or Method 2 are common in payments.
  4. Pick Data Input TypeASCII or Hexadecimal.
  5. Enter Input Data in the matching format.
  6. Enter Key (Hex) — The variant (DES, 2-key 3DES, 3-key 3DES) is inferred from the key length you provide.
  7. Enter IV if a chaining mode is selected.
  8. Click Encrypt / Decrypt — The result card displays the output in HEX, plus an ASCII view if the bytes are printable, with copy / clear actions.

Use Cases

  • Encrypting / decrypting PIN blocks under a working key (TPK / PEK).
  • Generating 3DES MACs by chaining ECB operations.
  • Verifying ZPK / ZMK translations during HSM integration.

FPE Calculator

Format-Preserving Encryption keeps the output in the same format as the input — e.g. encrypting a 16-digit PAN into another 16-digit numeric string. Useful for tokenisation and PCI-scope reduction.

Tabs (5)

Each tab is a self-contained calculator for the named variant:

  • FPE-FF1
  • FPE-FF2 (VAES3)
  • FPE-FF3
  • FPE-FF3-1
  • FPE-DFF[OFF-2]

Inputs (per tab)

FieldDescription
RadixDrop-down: 10 (digits), 26 (lower-case alpha), 36 (alphanumeric).
Tweak RadixDrop-down. Only shown for FPE-FF2 and FPE-DFF.
Encryption TypeDrop-down: AES-128, AES-192, AES-256.
Key Input TypeDrop-down: ASCII or Hexadecimal.
KeyLength matches the encryption type and input format.
Use Tweak?Checkbox — only on FPE-FF1. When on, an animated Tweak field appears.
TweakVisible when applicable; format depends on the variant.
DataMulti-line input matching the chosen radix alphabet.

Walk-through

  1. Pick the FPE tab matching your spec — FPE-FF1 or FPE-FF3-1 for new work.
  2. Pick Radix10 for numeric tokens such as PANs.
  3. Pick Encryption Type — the AES variant for the underlying block cipher.
  4. Pick Key Input Type and enter the Key.
  5. (FF1 only) tick Use Tweak? if you have one, then enter it.
  6. Enter Data — The string must contain only characters in the radix alphabet.
  7. Click Encrypt or Decrypt — The output preserves the original length and alphabet.

Example: Tokenize a PAN (FPE-FF1)

Radix:           10
Encryption Type: AES-128
Key Input Type:  Hexadecimal
Key:             2B7E151628AED2A6ABF7158809CF4F3C
Use Tweak?:      on
Tweak:           39383736353433323130
Data:            0123456789012345

Output:          6124200211725605

RSA Calculator

Six-tab tool covering the full RSA workflow from key generation through padding-aware encryption and signing.

Tabs (6)

  • Keys — Generate or paste a key pair.
  • Encrypt — Encrypt with PKCS1 or no padding.
  • Decrypt — Decrypt ciphertext with the corresponding key.
  • Sign — Produce a signature over a message or hash.
  • Verify — Verify a signature against a hash.
  • OAEP — Encode / decode with OAEP padding.

Keys Tab

  • Key Length (bits)1024, 2048, 3072, 4096.
  • Generate Keys button.
  • Modulus, Public Exponent (e), Private Exponent (d) — All hex; you can also paste pre-existing components instead of generating.

Encrypt Tab

  • Encoding MethodPublic (encrypt with public key) or Private.
  • PaddingPKCS1 or No Padding.
  • Input Data FormatASCII or Hex.
  • Data to Encrypt.
  • Button: Encrypt.

Decrypt Tab

  • Decoding MethodPrivate or Public.
  • PaddingPKCS1 or No Padding.
  • Data to Decrypt (Hex).
  • Button: Decrypt.

Sign / Verify Tabs

  • SignInput Data Format (ASCII / Hex) and Data to Sign; click Sign.
  • VerifyHash (Hex) and Signature (Hex); click Verify.

OAEP Tab

  • MethodEncode or Decode.
  • Hash FunctionSHA-1, SHA-224, SHA-256, SHA-384, SHA-512.
  • Result Length (bits)1024, 2048, 4096.
  • Data (Hex), Encoding Parameters (Label, Hex).
  • Button label changes between Encode and Decode based on the selected method.

Thales RSA Calculator

Vendor-aware RSA helpers tailored to Thales PayShield workflows.

Tabs (3)

Generate

Construct an RSA key pair from CRT components (or generate a fresh one). Inputs:

  • Private Exp. (d)
  • Prime 1 (p)
  • Prime 2 (q)
  • Exponent 1 (dModP1)
  • Exponent 2 (dModQ1)
  • Coefficient (iqmp)
  • Key Length (1-4096)

Buttons: Generate (d) from Components, Generate New Random Key.

Thales Key Block

Wrap or unwrap a key pair under a Key Block Protection Key. Inputs:

  • DES KBPK, AES KBPK
  • Public Key Header, Private Key Header
  • Key Block EncryptionAES or DES.
  • Input FormatASCII or Hex.
  • Public Key, Private Key

Buttons: Wrap Key Block, Unwrap Key Block.

Thales LMK Variant

Apply Thales LMK variants. Inputs:

  • LMK Pair 34-35
  • LMK Pair 36-37
  • Authentication Data
  • Modulus EncodingDEC / DER variants.
  • Public Key, Private Key

Button: Process LMK Variant.

ECDSA Calculator

Elliptic Curve Digital Signature Algorithm with three workflow tabs.

Keys Tab

  • ECC Curve NameNIST P-256, NIST P-384, NIST P-521, plus the Brainpool curve variants.
  • Private Key (Hex).
  • Public Key (Hex).
  • Public Key FormUncompressed or Compressed.

Buttons: Generate New Public Key, Is Point on Curve?, Generate Random Key Pair, Validate Current Key Pair.

Sign Tab

  • Hash TypeSHA-1, SHA-256, SHA-384, SHA-512.
  • Input Data FormatASCII or Hex.
  • Data to Sign.

Button: Sign Data. Output is the (r, s) pair in hex.

Verify Tab

  • Hash (Hex).
  • Signature (Hex).

Button: Verify Signature.

Cipher Modes Reference

Mode availability depends on the calculator. AES exposes ECB / CBC / CFB / OFB / KCV. DES / 3DES exposes ECB, CBC, and the CFB-8 / CFB-64 / OFB-8 / OFB-64 byte/feedback variants.

ModeIV?Properties
ECBNoEach block independent. Simple but leaks plaintext patterns.
CBCYesEach block XOR-chained with the previous ciphertext. Secure with unique IV.
CFB / CFB-8 / CFB-64YesSelf-synchronising stream mode. The numeric variants set the feedback width in bits.
OFB / OFB-8 / OFB-64YesKey-stream mode independent of plaintext.
KCVNoAES-only. Computes the standard 3-byte Key Check Value over zero plaintext.

Padding Schemes (DES / 3DES)

The DES / 3DES calculator exposes the full set of padding schemes used across legacy and modern payment protocols. Pick the one your host expects:

SchemeNotes
NoneInput must be an exact multiple of 8 bytes.
ZerosPads with 00 bytes. Cannot recover trailing zero bytes.
SpacesPads with ASCII space (0x20).
ANSI X9.23Random bytes followed by a length byte.
ISO 10126Random bytes followed by a length byte (similar to X9.23).
PKCS#5 / PKCS#7Self-describing: pad bytes equal the pad length.
ISO 7816-4Single 0x80 followed by zero bytes.
RijndaelVariant used in the original Rijndael spec.
ISO 9797-1 Method 1Zero-pad to next block boundary (no length signal).
ISO 9797-1 Method 2Single 0x80 then zeros — recommended for MAC inputs.

Tips

  • Use the Bitmap Calculator in the Utility Tools to inspect block alignment when sizes look odd.
  • For HSM-bound keys, prefer Thales RSA → Thales Key Block over the raw RSA tool to keep wrapping consistent.
  • If a known answer test fails, double-check the IV is in hex (not ASCII) and the data length matches the mode requirements.